-
Security and Penetration Testing D80B5400025 (SVPT)
Questions From Pre Bid Conference
Question 1, Page 6 & 7 MR. GONZALEZ: Once we get our
questions over to you tomorrow, what's the time line for getting it
back to us so
that we can put our response on a final report?
Answer: MR. SPENCE: We're going to get them back as soon as
possible.
Question 2, Page 8 MR. GONZALEZ: So is the volume of questions
or the amount of time it's going to take to get -- answer those
questions, going to impact the final date? The 31st is the date
today right now. Is that -- would
that push that back?
Answer: MR. SPENCE: If we feel like we need an extension, then
we will extend it.
Revised Answer: Please see the amended TORFP. MIA has extended
the closing date until 03/17/2017.
Question 3, Page 8, 9 MR. TRUMP: The question I have is, we
deliver a host of services and one of the things I noted that we've
seen a lot of other agencies look for is incident response. And I
was wondering if it's -- if
it's too late to provide an optional service such as incident
response program review, retain
incident response services for instance to supplement the MIA's
security program That's one of
the questions I have.
It wasn't requested as one of the items in the technical scope.
So we were wondering if -- if it's
possible to add an optional scope to this at this time, If it's
not, then understood. But we did want
to ask that question.
Answer: MR. SPENCE:
-
That's something we're going to research and get back to you
on.
Revised Answer: Section 2.15 of the SVPT solicitation titled
“SECURITY REQUIREMENTS
AND INCIDENT RESPONSE,” defines the incident response
requirements for this
solicitation. MIA does not intend to amend that section.
Question 4, Page 10 MR. MAMMO: You have required us to have
three personnel performing this project. But you have not
specified
which positions. In the CATS+ contract, there are positions
under the contract. And usually when they run down RFPs, they will
choose what the category, meaning which positions for that
level categorization for this -- this RFP. So my question is can
you tell us what those three positions are or is it open for
us?
The job categories are – are fixed. There is a list of job
positions under CATS+. So when you are -- are asking us to submit
personnel, it has to be from that -- one of those listings.
Answer: MR. SPENCE: I'll have to take a look at what you're
talking about. Please submit that in writing and we'll answer your
questions.
Revised Answer: Contractor responsibilities including, KEY
Personnel requirements are
defined in section 2 of the solicitation. Offerors may propose
job descriptions for KEY
Personnel. Those job descriptions do not have to correspond with
job descriptions under the
CATS Plus master contract.
Question 5, Page 11 MR. MAMMO: How does that impact -- how soon
you can respond back when the project is due? Like if you do
not respond by let's say January 30th and the project is due the
next day, that means we didn't
have enough time to send our responses. So can you give us at
least one week working -- after
you give the responses?
Answer: MR. SPENCE: We're going to do our best to get the
answers to the questions out as quickly as possible. If we feel
like we need to put an extension, then we will give you a
reasonable amount of time to
respond.
-
Revised Answer: Please see the amended TORFP. MIA has extended
the closing date until 03/17/2017.
Question 6, Page 12 MR. BROWN: The level of -- one of the
requirements has a level of detail for a scan. And it wants us to
look at
potential compromised systems. Are you expecting a forensic
analysis or a very high level scale
of IP addresses and those external locations that are probably
coming into your environment that
you weren't aware of?
Answer: MR. COBURN: Not a forensics analysis. MR. BROWN: So not
a deep dive? Answer: MR. COBURN: No
Question 7, Page 13, 14 MR. BROWN: There's a certification in
there that you're requiring from some of the individuals. MS.
ESLIN: The IAM Certification MR. BROWN: Yeah. Is that a hard stop
if they do or don't have that certification for individual
firms? MR. TRUMP: Same question, same concern.
Answer: MR. SPENCE:
If we were to change that, it would require like some sort of
amendment. So I could say for now,
it's a hard stop. If it's in the solicitation, then that's what
we're asking.
Revised Answer: Please see the amended TORFP. The InfoSec
Assessment Methodology
(IAM) Certification and the Cisco Master Security Specialized
Partner Certification are now
preferred qualifications.
Question 8, page 15 MR. TRUMP: Is all the work to be conducted
in one facility or is there multiple MIA facilities in your --
Answer: MR. COBURN: One facility.
-
Question 9, Page 15, 16 MR. TRUMP: And then to clarify, the
three requirements -- the external testing, internal testing, PEN
testing --
so there's a few ways we could bucketize [sic] this research.
One, for instance, would be full vulnerability scan and so forth
without invasive action on the external and internal providing all
of the theoretical holes that are there with mitigation
recommendations.
And then secondly, using the PEN test for actually -- an --
attack attempts. Otherwise, we could
do an internal/external PEN test with full capability, which
would omit the need for another PEN test following. So we're
anticipating to provide a response to vulnerability scans and
non-
invasive testing for the internal/external with full reporting
and then do the attack testing internally using the PEN test
binary.
Answer: MR. COBURN: I would submit a question on that.
Question 10, Page 16 MR. BROWN: Is this the first time you've
done this level of testing or has it been done in the past by
another vendor?
Answer: MR. COBURN: We've had a light testing done by DOIT. They
offered a free web assessment vulnerability test. MR. BROWN: But
not a scaling test like this? MR. COBURN: No. This is the most
intensive test we've had to date.
Question11, Page 17 MR. BROWN:
MR. COBURN: I don't want to guess. I think it's a continued in
the future, I believe but I, you know -- submit that question and
we'll respond.
Question 12, Page 17 MR. MAMMO: And finally, when do you expect
to start this project?
-
Answer: MR. SPENCE: As soon as possible.
Question 13, Page 17 MR. GONZALEZ: We saw the certifications
changed with the last solicitation. You know, what was the emphasis
around that? Was that -- again, is that a hard stop or, you know,
just questioning regarding that as
far as -- again it's not a certification. It's not,
MR. COBURN: Which certification are you talking about?
MR. MAMMO: The SSCP. MR. GONZALEZ: The SSCP --
MR. MAMMO: That was added after the last revision on January
1st.
Answer: MR. COBURN: Submit a question on that and we will get
some clarifications. I believe all the minimum requirements are
going to be required for this test.
MR. SPENCE: The minimum requirements aren't going to change.
Revised Answer: Please see the amended TORFP. The InfoSec
Assessment Methodology
(IAM) Certification and the Cisco Master Security Specialized
Partner Certification are now
preferred qualifications.
Questions From Email
1. Will InfoSec Assessment Methodology (IAM) Certification be
required and can exception be granted if this not currently
available?
Please see the amended TORFP. The InfoSec Assessment Methodology
(IAM)
Certification and the Cisco Master Security Specialized Partner
Certification are now
preferred qualifications.
2. What is the budget expectation for this work effort for the
base year and then optional years?
The Budget approved for this service is $30,000.00
3. Who is the current provider of these services? No current
provider.
http:30,000.00
-
4. How many document reviews and interviews will be expected for
each of the specific requirements in section 2.6 (A, B, C, D, E,
and K)?
The State’sDepartment of Information Technology (DoIT) Security
Policy and the MIA’s
Security Policy are the only internal document we expect to be
reviewed. The number of
interviews would be determined by the vendor.
5. How many scans per year are expected for each of the
requirements in section 2.6? We expect that all scanning in the
scope of the TORFP as defined in Section 2.8.4 would
be done once during the contract year.
6. Please clarify the scope and details expected for requirement
D in section 2.6, is this a detailed forensic review or a simple
scan of which devices are communicating with
unknown internet traffic?
Simple scan.
7. Are there any specific threats you are concerned about?
No.
8. Is there any specific private information stored or transmit
that you are particularly concerned about?
PII and PHI data.
9. Have there been any past information security incidents we
should take into consideration while performing our testing?
No.
10. How many users do you have? How many IT Staff? Are they
in-house or outsourced?
MIA has approx 300 internal users and 16 in-house IT staff.
11. Are there remote access capabilities for your network (such
as a VPN or remote desktop
software like RDP, LogMeIn, GoToMyPC, etc.)?
Yes, VPN and Terminal Services.
12. How many Internet/public facing servers do you have
(physical and virtual)? How many public IP addresses?
One physical and three virtual servers and thirty public IP
addresses –
167.102.134.128/27.
13. How many physical offices/locations do you have?
One physical office building and one physical remote
location.
14. How many internal servers do you have (physical and
virtual)?
Approx thirty servers will be in scope for security penetration
testing.
-
15. How many network devices by type (i.e. firewalls, routers,
switches, load balancers, etc.)
are in scope? Do you want them assessed only from the
perspective of an attacker, or
will you also provide configuration files for review of
configuration?
One firewall, one WAF, one router and one DMZ switch are in
scope. Assessment should
be from the perspective of an attacker.
16. How many (estimated) internal hosts do you have?
Thirteen VMware ESXi hosts.
17. Are your servers self-hosted or hosted elsewhere?
Self hosted.
18. How many IP addresses are in scope (internal and
external)?
10.120.240.0/24 and 172.30.0.0/21 are internal IP addresses and
167.102.134.128/27
are external.
19. Are all of the in-scope systems available from a single
network segment?
In separate VLAN’s
20. Is port security or NAC controls present in the environment
that would interfere with the
presence of unmanaged systems?
No.
21. Do you self-host your email or use a hosting provider?
MIA uses the State of Maryland’s Google Apps environment for
email.
22. Do you self-host your website or use a hosting provider?
The MIA web site is hosted by the State of Maryland’s Department
of IT (DoIT).
23. Do you want a vulnerability assessment or full penetration
test for the website and web
applications? Will the applications be tested with and without
credentials? If so, how
many different user roles/sets of credentials will be tested for
each application?
MIA website and web applications are not in scope for security
penetration testing.
24. Are any email contact forms or forms present that may
generate tickets or emails if
posted to? (Automated web application vulnerability scanners
will be used during the
assessment that send a multitude of posts to web forms. As a
result of this scanning
thousands of emails, alerts and tickets may be generated).
MIA website and web applications are not in scope for security
penetration testing.
25. Will the network be stable during the test, no changes?
Yes.
26. If vulnerability is discovered on a desktop, server or
network device, does ePlus have
permission to trigger the vulnerability with an exploit?
Not without advance approval.
-
27. If a system is compromised, does EPlus have permission to
execute post exploitation
commands to recover passwords, search memory and recover
document and folders?
Not without advance approval.
28. If a system is compromised, does EPlus have permission to
use that system as a pivot
point for further network attacks?
Yes.
29. If access to a privileged account is gained, does EPlus have
permission to access the
Domain Controller?
Not without advance approval.
30. If access to a privileged account is gained, does EPlus have
permission to access the mail
servers?
Yes.
31. If access to a privileged account is gained, does EPlus have
permission to access the
database servers?
Not without advance approval.
32. If Domain Controller access is gained, does EPlus have
permission to create accounts?
Not without advance approval.
33. If Domain Controller access is gained, does EPlus have
permission to recover the password hashes?
Not without advance approval.
34. Do you wish to include Arp poisoning attacks in the
penetration test?
No.
35. What types of social engineering testing do you require?
(i.e. email phishing, phone
phishing, onsite breach of physical security, etc.) If phishing
is required, how many users
will be targeted for each type of phishing, and how many
separate attempts should be
made for each user? Can phishing be performed in conjunction
with our other testing (in
which case, information obtained will be used in other testing
areas), or must it be a
separate and distinct test? If breaches of physical security are
to be attempted, what are
the locations to be tested?
Which physical locations are in scope for the Wireless
Assessment? How many SSIDs and APs at each location will be in
scope?
Are there any time limits for how long the exercises are to be
conducted? Are there any additional notes, concerns, or parameters
that need to be considered
that you would like to highlight?
Social engineering and wireless testing are not in scope.
36. General Information
a. What is the primary driver for having a penetration test
performed? See section 2.2.2. of the TORFP.
-
b. If the penetration test driver is for regulatory compliance,
which specific requirement(s) applies?
The driver is not for regulatory compliance.
c. Have you had penetration tests performed in the past? If so,
when was the most recent one performed?
Yes, DoIT conducted penetration tests on the MIA’s web
applications in 2015.
d. Is the plan to have penetration test performed on a recurring
basis or as needed? If recurring, how often?
As needed.
e. What are your currently installed security tools / suites?
IBM Q-Radar.
f. Have you conducted a Cyber Security Data Management
Analytics? Do you want us to look into that?
No to both questions.
37. Application or Infrastructure
g. Is testing to be completed at an application level or
infrastructure level or both?
Both.
h. When does testing need to start and/or be completed by?
We have no pre-determined schedule.
i. Do you have any specific / custom reporting requirements?
No.
j. Is there to be an allowance made for re-testing for the
system after remediation? No any re-testing would be contracted via
a supplemental Work Order.
38. External Penetration Testing
k. Is the penetration test going to include network layer
testing? If so, how many IP addresses will be included in the scope
of testing?
Yes. 10.120.240.0/24 and 172.30.0.0/21 are internal IP addresses
and
167.102.134.128/27 are external.
l. Do you want us to have any of the identified vulnerabilities
exploited? No.
m. Is the penetration test going to include application layer
testing? If so, how many websites and / or web applications will be
included in the scope of testing?
No and none.
n. Are the targets in the scope of testing live and in
production? Yes.
o. If websites are included in the scope and portions of the
website require credentials to access, how will that be
handled?
Not applicable.
p. If there are IPS solutions or web application firewalls in
place that can prevent or block penetration test activities, how
will they be handled?
Configured as normal.
39. Scale – Ranges – Hosts – Location q. What range of IP
address will be provided?
-
10.120.240.0/24 and 172.30.0.0/21 are internal IP addresses and
167.102.134.128/27
are external.
r. How many hosts or devices are to be tested? Approximately 30
servers, one firewall, one WAF, one router and one DMZ switch are
in
scope.
s. Is testing to be external or internal? Both.
t. Is testing to be conducted during business hours or
non-business hours? During non-business hours.
u. What are the affected wireless infrastructure physical
addresses? Not applicable.
40. Internal Penetration Testing Targets
v. What is the total number of targets that will be included in
the scope of testing? Approximately 50.
w. If servers are included in the scope of testing, what is the
approximate number to be tested?
Approximately 30.
x. If workstations are included in the scope of testing, what is
the approximate number to be tested?
Approximately 10.
y. If network devices are included in the scope of testing, what
is the approximate number to be tested?
One firewall, one WAF, one router and one DMZ switch are in
scope.
z. If peripherals are included in the scope of testing, what is
the approximate number to be tested?
Not applicable.
aa. The conventional approach for conducting internal
penetration testing is to allow
the tester on the premise; connect to the corporate network and
obtain a valid IP
address; be placed on a network with the targets or is routable
to the networks
with the targets; any security systems in place treat the
tester’s machine as any normal user’s machine. If your expectation
of the approach differs from the above, please explain.
The MIA’s expectation is consistent with this approach.
41. Application / Systems Testing
bb. What applications / systems are subject to testing? Please
provide URLs if possible. Please provide a test login to enable us
to walk through the application.
None.
cc. What are the major functions of the target applications /
systems?
Not applicable.
dd. Is testing to be completed with or without valid user
credentials?
Not applicable.
ee. Are the applications in-house developed or based on
commercial products? If in-
house, what language was used in the development?
Not applicable.
-
ff. Will the system be in production at the time of testing? Not
applicable.
gg. How many pages are in the application?
Not applicable.
hh. How many input fields (approx.) does the application
have?
Not applicable.
42. Databases and Data Analytics
ii. How many databases are running in production? What kind? And
what’s the approximate size of each database?
Not applicable.
jj. Do you currently have any cloud implementation? If yes, what
are the scope and protocols of your cloud infrastructure?
Cloud infrastructure is not in scope for security penetration
testing.
kk. Have you conducted a Cyber Security Data Management
Analytics? Do you want
us to look into that?
No to both questions.
ll. Has there been any form or cyber-attack or systems / data
compromise at MIA? Not that we are aware of.
mm. Any incidents you would like to share with us?
No.
43. MIA Business Unit Locations and Wireless Infrastructures
nn. What are the physical addresses for all MIA’s business units
and wireless infrastructures?
Physical address is for the MIA business units is 200 St. Paul
Place Baltimore,
Maryland 21202 and wireless infrastructure is not in scope for
security penetration
testing.
44. User Training and Manuals
oo. Do you expect us to engage in user training functions?
No.
pp. Do you expect us to prepare User Cyber Security Best
Practices Manuals?
No.
45. Proposed Personnel and Task Order Staffing
qq. We are required to propose three Key Personnel as per the
TORFP. What are the specific CATS+ Master Contract Project Number
Labor Categories for these
positions? Out pricing will be determined on these labor
categories.
Contractor responsibilities including, KEY Personnel
requirements are defined in section
2 of the solicitation. Offerors may propose job descriptions for
KEY Personnel. Those job
descriptions do not have to correspond with job descriptions
under the CATS Plus master
contract.
46. TORFP Minimum Qualifications
-
rr. We have found that the InfoSec Assessment Methodology (IAM)
Certification is an outdated certification. Could you please
consider removing this requirement?
ss. Would you please change the requirement for a Cisco Master
Security Specialized Partner Certification to a Current Industry
Recognized Cyber Security solutions
and services certification?
Please see the amended TORFP. The InfoSec Assessment Methodology
(IAM)
Certification and the Cisco Master Security Specialized Partner
Certification are now
preferred qualifications.
47. New TORFP Released on 1/4/2017
tt. There are several changes on the new TORFP released on
1/4/2017. Namely the following sections have been removed from 2.6
Requirements:
i. Regulatory Requirement Assessment
ii. Business Continuity Assessment
iii. Social Engineering Assessment
iv. Web Applications and Website Security Test
v. Wireless Infrastructure Test
What are the purposes and scopes of these changes? What are the
performance
and deliverable impacts of these changes in this project?
The purpose of these changes is to reduce the scope of work.
Section 2.8.4 of the TORFP
has been updated to reflect a reduced number of deliverable to
correspond with these
changes.
48. Can we provide supplemental information on professional
services that compliment or
enhance what’s listed in the TORFP?
Yes
49. On page 21 of the TORFP, under 2.9.1 you have listed Cisco
Master Security Specialized
Partner Certification as a minimum requirement. While this Cisco
certification is Cisco’s partnership and marketing measure, our
team possess highly regarded and industry
leaders’ certifications. Would MIA be willing to change these
two minimum requirements: InfoSec Assessment Methodology (IAM)
Certification and the Cisco
Master Security Specialized Partner Certification to Industry
Leaders Recognized,
Current and Most Relevant Certifications?
Please see the amended TORFP. The InfoSec Assessment Methodology
(IAM)
Certification and the Cisco Master Security Specialized Partner
Certification are now
preferred qualifications.
50. Would MIA allow proposal of the listed optional services to
include our Incident Response Plan Development and Table Top
Exercise Services?
We do not need these services. However you are free to add them
to your proposal.
51. Is it appropriate to propose vulnerability scans and less
invasive techniques to meet the
intention of the MIA Internal and External Testing requirements;
while with MIS’s
-
agreement during the rules of engagement perform more aggressive
testing to identify
and attack significant cyber targets to meet the Penetration
Testing requirement?
To be considered “responsive” a bid must conform in all material
respects to the specifications outlined in the RFP.
52. How many days are you going to allow for the submission of
our proposals after you
respond to our questions? At least a week would be great.
Please see the amended TORFP. MIA has extended the closing date
until 03/17/2017.
-
Pre-Bid Conference 1/17/2017 Pre-Bid Conference for Security and
Penetration Testing
Page 1 STATE OF MARYLAND
MARYLAND INSURANCE ADMINISTRATION
Office of Procurement
200 St. Paul Place, Suite 2700
Baltimore, Maryland 21202
IN RE:
PREBID CONFERENCE FOR SECURITY PENETRATION TESTING
Reported by: Erica Jones, Court Reporter
EVANS REPORTING SERVICE
The Munsey Building, Suite 705
Seven North Calvert Street Baltimore, Maryland 21202410.727.7100
800.256.8410
Coast to coast coverage Evans Reporting Service Over 25 years
Unsurpassed excellence 800-256-8410 award-winning service
-
Pre-Bid Conference 1/17/2017 Pre-Bid Conference for Security and
Penetration Testing
Page 2 1 PRE-BID CONFERENCE
2 A Pre-bid Conference in the
3 above-captioned matter held before the State of
4 Maryland Insurance Administration, on Tuesday,
5 January 17, 2017, commencing at 2:03 p.m., and
6 reported by Erica Jones, Court Reporter and Notary Public.
7
8 APPEARANCES:
9
10 MIA STAFF MEMBERS:
11 Rodney Spence, MIA Procurement Officer
12 Katrina Lawhorn, MIA Procurement Officer
13 Mark Coburn
14
15 OTHERS PRESENT:
16 Antonio Frulio, IVA CommunicationsSolomon Mammo, IVA
Communications
17 Murphy Payne, IVA CommunicationsMike Gonzalez, BAE
Systems
18 Mark Trump, BAE SystemsJennifer Eslin, ePlus
19 Ron Brown, ePlus
20
21
Coast to coast coverage Evans Reporting Service Over 25 years
Unsurpassed excellence 800-256-8410 award-winning service
-
Pre-Bid Conference 1/17/2017 Pre-Bid Conference for Security and
Penetration Testing
Page 3 1 CONFERENCE PROCEEDINGS:
2 MR. SPENCE: My name is Rodney Spence.
3 Good afternoon and thank you for coming here. I'm
4 the procurement officer and this is the Pre-bid
5 Conference for Security and Penetration Testing.
6 The solicitation number is D80B5400025. There's no
7 new media involved for this solicitation. There is
8 no VSB involved in this solicitation either. This
9 solicitation is being done by competitive sealed
10 proposal. The State uses a two-part evaluation
11 process as far as there's a technical evaluation.
12 And then there's a financial evaluation.
13 If your technical proposal does not meet
14 our minimum qualifications or requirements, then we
15 will send your financial proposal back to you
16 unopened. If we have questions about your
17 technical, then we will need to resolve those
18 questions before we move on to your financial.
19 At this point, I'm going to let the rest
20 of the people on the panel introduce themselves and
21 state their positions. And we will get into some
Coast to coast coverage Evans Reporting Service Over 25 years
Unsurpassed excellence 800-256-8410 award-winning service
-
Pre-Bid Conference 1/17/2017 Pre-Bid Conference for Security and
Penetration Testing
Page 4 1 question and answer. When we do the question and
2 answer, I would ask that we go from right to left,
3 front to back, state your name, state the company
4 that you work for. If you don't have a question,
5 just for the record, we would still ask that you
6 state your name and company that you work for.
7 MS. LAWHORN: I'm Katrina Lawhorn, a
8 procurement officer also.
9 MR. COBURN: I'm Mark Coburn and I'm team
10 infrastructure supervisor.
11 MR. SPENCE: So at this point, Mark is
12 going to tell us about the project background in the
13 scope report.
14 MR. COBURN: Yes. The MIA computing
15 infrastructure is a redundant, highly available,
16 secure system with firewalls, web application
17 firewalls, reverse proxies, intrusion prevention
18 system, intrusion detecting systems, web security
19 appliances, anti-virus software. And the State has
20 conducted web application penetration tests on some
21 of the agency's web application.
Coast to coast coverage Evans Reporting Service Over 25 years
Unsurpassed excellence 800-256-8410 award-winning service
-
Pre-Bid Conference 1/17/2017 Pre-Bid Conference for Security and
Penetration Testing
Page 5 1 But MIA is undertaking this project to
2 conduct a more thorough assessment of cyber security
3 vulnerabilities. And we're seeking a consultant to
4 make recommendations on how to mitigate these risks.
5 Some of the highlights of the project is one, we'd
6 like the vendor to assess MIA security policies and
7 procedures and infrastructure against industry
8 standard best practices and document some of the
9 deficiencies.
10 Some of the other brief descriptions
11 revolve around the external system tests. We'd like
12 them to examine the external accessible equipment
13 for vulnerabilities from inside and outside the
14 internet. Also, some other activities revolve
15 around internal system and network testing, conduct
16 vulnerability scanning and validation against
17 internal IP address ranges and configuration review
18 of all internal systems.
19 The penetration test, we'd like some
20 activities designed to emulate an actual attack and
21 attempt to access and obtain organizational data.
Coast to coast coverage Evans Reporting Service Over 25 years
Unsurpassed excellence 800-256-8410 award-winning service
-
Pre-Bid Conference 1/17/2017 Pre-Bid Conference for Security and
Penetration Testing
Page 6 1 And also, we're looking to get a risk report that
2 can basically, you know, give an assessment of the
3 test and discuss deficiencies and make
4 recommendations to mitigate deficiences. That's
5 kind of it in the things that we do.
6 MR. SPENCE: Okay. So we're going to open
7 this up for question and answer at this point. I
8 just want to make sure you guys understand the
9 questions, for any questions that we receive are due
10 tomorrow by the close of business at 5 o'clock.
11 So this gentlemen is on my right.
12 MR. GONZALEZ: Sure. Should I stand up
13 or --
14 MR. SPENCE: If you want to stand up,
15 that's fine.
16 MR. GONZALEZ: No. I'll just sit.
17 My name is Mike Gonzalez and I'm with BAE
18 Systems. We're partnered, we're teamed up with IVA
19 Communications and master contractor. One of our --
20 one of our focuses of our questions is around --
21 well, I guess first the time line about once we get
Coast to coast coverage Evans Reporting Service Over 25 years
Unsurpassed excellence 800-256-8410 award-winning service
-
Pre-Bid Conference 1/17/2017 Pre-Bid Conference for Security and
Penetration Testing
Page 7 1 our response. Once we get our questions over to you
2 tomorrow, what's the time line for getting it back
3 to us so that we can put our response on a final
4 report?
5 MR. SPENCE: Okay. So the answer to that
6 question is we're going to get them back as soon as
7 possible. The time it takes us to answer all the
8 questions is depending on how involved the questions
9 are and how many we receive.
10 Hopefully, we can get them out to you by
11 the end of the week.
12 MR. GONZALEZ: Okay.
13 MR. SPENCE: But I can't guarantee we will
14 get them to you until we know what we're working
15 with.
16 MR. GONZALEZ: Sure. I guess, can I
17 follow that up?
18 MR. SPENCE: (No verbal response.)
19 MR. GONZALEZ: Can I follow that question
20 up?
21 MR. SPENCE: Yes, sure. Go ahead.
Coast to coast coverage Evans Reporting Service Over 25 years
Unsurpassed excellence 800-256-8410 award-winning service
-
Pre-Bid Conference 1/17/2017 Pre-Bid Conference for Security and
Penetration Testing
Page 8 1 MR. GONZALEZ: So is the volume of
2 questions or the amount of time it's going to take
3 to get -- answer those questions, going to impact
4 the final date? The 31st is the date today right
5 now. Is that -- would that push that back?
6 MR. SPENCE: If we feel like we need an
7 extension, then we will extend it.
8 MR. GONZALEZ: Okay.
9 MR. TRUMP: I'm Mark Trump. I'm with BAE
10 Systems and we're teaming with -- with IVA
11 Communications. The question I have is we deliver a
12 host of services and one of the things I noted that
13 we've seen a lot of other agencies look for is
14 incident response.
15 And I was wondering if it's -- if it's too
16 late to provide an optional service such as incident
17 response program review, retain incident response
18 services for instance to supplement the MIA's
19 security program. That's one of the questions I
20 have.
21 MR. SPENCE: That sounds like a technical
Coast to coast coverage Evans Reporting Service Over 25 years
Unsurpassed excellence 800-256-8410 award-winning service
-
Pre-Bid Conference 1/17/2017 Pre-Bid Conference for Security and
Penetration Testing
Page 9 1 question.
2 MR. COBURN: Well, I think it's more of a
3 procedural. I mean it's like a -- like a
4 policy-type question where you're talking about an
5 incident response --
6 MR. TRUMP: Sure.
7 MR. COBURN: -- like what the process is
8 in case there is a --
9 MR. TRUMP: Right.
10 MR. COBURN: -- you know, a breach.
11 MR. SPENCE: More like a service level
12 agreement?
13 MR. TRUMP: Well, absolutely. It wasn't
14 requested as one of the items in the technical
15 scope. So we were wondering if -- if it's possible
16 to add an optional scope to this at this time. If
17 it's not, then understood. But we did want to ask
18 that question.
19 MR. SPENCE: That's something we're going
20 to research and get back to you. If you want to,
21 submit that question in writing.
Coast to coast coverage Evans Reporting Service Over 25 years
Unsurpassed excellence 800-256-8410 award-winning service
-
Pre-Bid Conference 1/17/2017 Pre-Bid Conference for Security and
Penetration Testing
Page 10 1 MR. TRUMP: Okay.
2 MR. MAMMO: My name is Solomon Mammo. I'm
3 from IVA Communications and I'm here with my
4 partner. The question I have for you is the specs
5 list. You have required us to have three personnel
6 performing this project. But you have not specified
7 which positions. In the CATS+ contract, there are
8 positions under the contract. And usually when they
9 run down RFPs, they will choose what the category,
10 meaning which positions for that level
11 categorization for this -- this RFP.
12 So my question is can you tell us what
13 those three positions are or is it open for us?
14 MR. SPENCE: You're asking about the CATS+
15 job descriptions, right?
16 MR. MAMMO: Well, the job's categories.
17 On the RFP --
18 MR. GONZALEZ: Categories.
19 MR. MAMMO: The job categories are -- are
20 fixed. There is a list of job positions under
21 CATS+. So when you are -- are asking us to submit
Coast to coast coverage Evans Reporting Service Over 25 years
Unsurpassed excellence 800-256-8410 award-winning service
-
Pre-Bid Conference 1/17/2017 Pre-Bid Conference for Security and
Penetration Testing
Page 11 1 personnel, it has to be from that -- one of those
2 listings.
3 MR. SPENCE: Okay. All right. What I'll
4 tell you is that I'll have to take a look at what
5 you're talking about.
6 MR. MAMMO: Okay.
7 MR. SPENCE: Please submit that in writing
8 and we'll answer your questions.
9 MR. MAMMO: Just to follow up on Michael's
10 question. So I will have the list of entire
11 question by tomorrow for you.
12 MR. SPENCE: Okay.
13 MR. MAMMO: Right. How does that
14 impact -- how soon you can respond back when the
15 project is due? Like if you do not respond by let's
16 say January 30th and the project is due the next
17 day, that means we didn't have enough time to send
18 our responses.
19 So can you give us at least one week
20 working -- after you give the responses?
21 MR. SPENCE: Okay. So I'm just going to
Coast to coast coverage Evans Reporting Service Over 25 years
Unsurpassed excellence 800-256-8410 award-winning service
-
Pre-Bid Conference 1/17/2017 Pre-Bid Conference for Security and
Penetration Testing
Page 12 1 repeat what I told him. We're going to do our best
2 to get the answers to the questions out as quickly
3 as possible. If we feel like we need to put an
4 extension, then we will give you a reasonable amount
5 of time to respond. That's something we're going to
6 look at, okay?
7 MR. FRULIO: Antonio Frulio. I'm with IVA
8 Communications and I don't have any questions.
9 MR. SPENCE: Okay.
10 MR. PAYNE: My name is Murphy Payne. I'm
11 also with IVA and I don't have questions either.
12 MR. BROWN: I'm Ron Brown from ePlus. I
13 have a question. The level of -- one of the
14 requirements has a level of detail for a scan. And
15 it wants us to look at potential compromised
16 systems.
17 Are you expecting a forensic analysis or a
18 very high level scale of IP addresses and those
19 external locations that are probably coming into
20 your environment that you weren't aware of?
21 MR. COBURN: Not a forensics analysis.
Coast to coast coverage Evans Reporting Service Over 25 years
Unsurpassed excellence 800-256-8410 award-winning service
-
Pre-Bid Conference 1/17/2017 Pre-Bid Conference for Security and
Penetration Testing
Page 13 1 MR. BROWN: So not a deep dive?
2 MR. COBURN: No.
3 MR. BROWN: Okay.
4 MS. ESLIN: I'm Jennifer Eslin. I'm also
5 with ePlus. We do have other questions and I think
6 we'll probably submit them in writing because I
7 think a lot of them are questions that you're
8 probably going to need to, you know, research and
9 get back to us and you'll want to be a part of the
10 official record.
11 So I think we will have a nice healthy
12 list for you that you'll get by tomorrow to start
13 answering.
14 MR. SPENCE: Thank you. I appreciate it.
15 MR. BROWN: Can I ask one more question?
16 MR. SPENCE: Sure. Go ahead.
17 MR. BROWN: There's a certification in
18 there that you're requiring from some of the
19 individuals.
20 MS. ESLIN: Here (indicating).
21 MR. BROWN: Yeah, if I can look for a sec
Coast to coast coverage Evans Reporting Service Over 25 years
Unsurpassed excellence 800-256-8410 award-winning service
-
Pre-Bid Conference 1/17/2017 Pre-Bid Conference for Security and
Penetration Testing
Page 14 1 (perusing).
2 MS. ESLIN: The IAM Certification?
3 MR. BROWN: Yeah. Is that a hard stop if
4 they do or don't have that certification for
5 individual firms?
6 MR. SPENCE: If we were to change that, it
7 would require like some sort of amendment. So I
8 could say for now, it's a hard stop. If it's in the
9 solicitation, then that's what we're asking.
10 MR. BROWN: Okay. You don't see a whole
11 lot of those out there.
12 MR. SPENCE: I can't hear what you're
13 saying.
14 MR. BROWN: You don't see a lot of those
15 out there very often.
16 MR. SPENCE: Okay.
17 MR. TRUMP: Same question, same concern.
18 MR. SPENCE: Well, you can submit your
19 questions. You know, when we put together our
20 answers, if something changes as a result of your
21 questions -- that's what the back and forth is
Coast to coast coverage Evans Reporting Service Over 25 years
Unsurpassed excellence 800-256-8410 award-winning service
-
Pre-Bid Conference 1/17/2017 Pre-Bid Conference for Security and
Penetration Testing
Page 15 1 for -- we will let you know.
2 MS. ESLIN: Okay.
3 Does anybody else have any other
4 questions?
5 MR. TRUMP: Follow-up. Is all the work to
6 be conducted in one facility or is there multiple
7 MIA facilities in your --
8 MR. COBURN: One facility.
9 MR. TRUMP: And then to clarify, the three
10 requirements -- the external testing, internal
11 testing, PEN testing -- so there's a few ways we
12 could bucketize [sic] this research.
13 One, for instance, would be full
14 vulnerability scan and so forth without invasive
15 action on the external and internal providing all of
16 the theoretical holes that are there with mitigation
17 recommendations. And then secondly, using the PEN
18 test for actually -- an -- attack attempts.
19 Otherwise, we could do an internal/external PEN test
20 with full capability, which would omit the need for
21 another PEN test following.
Coast to coast coverage Evans Reporting Service Over 25 years
Unsurpassed excellence 800-256-8410 award-winning service
-
Pre-Bid Conference 1/17/2017 Pre-Bid Conference for Security and
Penetration Testing
Page 16 1 So we're anticipating to provide a
2 response to vulnerability scans and non-invasive
3 testing for the internal/external with full
4 reporting and then do the attack testing internally
5 using the PEN test binary.
6 MR. COBURN: I would submit a question on
7 that.
8 MR. TRUMP: Okay.
9 MR. COBURN: That way, it's clear for
10 everybody.
11 MR. TRUMP: Understood, understood. That
12 way, we can respond back and phase over --
13 MR. SPENCE: All right. Let's -- okay.
14 MR. BROWN: Is this the first time you've
15 done this level of testing or has it been done in
16 the past by another vendor?
17 MR. COBURN: We've had a light testing
18 done by DOIT. They offered a free web assessment
19 vulnerability test.
20 MR. BROWN: But not a scaling test like
21 this?
Coast to coast coverage Evans Reporting Service Over 25 years
Unsurpassed excellence 800-256-8410 award-winning service
-
Pre-Bid Conference 1/17/2017 Pre-Bid Conference for Security and
Penetration Testing
Page 17 1 MR. COBURN: No. This is the most
2 intensive test we've had to date.
3 MR. BROWN: Again, is it a one-time with
4 an option to continue in the future or is it --
5 MR. SPENCE: I will let --
6 MR. COBURN: I don't want to guess. I
7 think it's a continued in the future, I believe but
8 I, you know -- submit that question and we'll
9 respond.
10 MR. SPENCE: We will get back to you.
11 MR. MAMMO: And finally, when do you
12 expect to start this project?
13 MR. SPENCE: As soon as possible, as soon
14 as we award it, as soon as possible.
15 MR. GONZALEZ: I'm sorry. Mike Gonzalez.
16 Basically -- and another question.
17 We saw the certifications changed with the
18 last solicitation. You know, what was the emphasis
19 around that? Was that -- again, is that a hard stop
20 or, you know, just questioning regarding that as far
21 as -- again it's not a certification. It's not,
Coast to coast coverage Evans Reporting Service Over 25 years
Unsurpassed excellence 800-256-8410 award-winning service
-
Pre-Bid Conference 1/17/2017 Pre-Bid Conference for Security and
Penetration Testing
Page 18 1 it's --
2 MR. COBURN: Which certification are you
3 talking about?
4 MR. MAMMO: The SSCP.
5 MR. GONZALEZ: The SSCP --
6 MR. MAMMO: That was added after the last
7 revision on January 1st.
8 MR. COBURN: Well, submit a question on
9 that and we'll review it and determine if that is
10 a -- because I think there was something with the
11 minimal requirements. And I can't remember what the
12 original was.
13 Submit a question on that and we will get
14 some clarifications. I believe all the minimal
15 requirements are going to be required for this test.
16 It could mean like what we need or I need as far as
17 --
18 MR. SPENCE: Yeah. The minimal
19 requirements aren't going to change unless we move
20 for it.
21 MR. GONZALEZ: Understood.
Coast to coast coverage Evans Reporting Service Over 25 years
Unsurpassed excellence 800-256-8410 award-winning service
-
Pre-Bid Conference 1/17/2017 Pre-Bid Conference for Security and
Penetration Testing
Page 19 1 MR. SPENCE: So if you guys submit your
2 questions, if we need clarity to one of those rules,
3 we will make that announcement to everyone we know.
4 For now, the requirements -- the minimal
5 requirements that are in the solicitation are what
6 you need to be able to respond to.
7 All right. We're going to go ahead and
8 close this down. I thank everyone for coming today.
9 Again, your questions are due tomorrow by 5 o'clock
10 p.m. local time. If you have any questions about
11 this whole meeting, just give me a call, send me an
12 e-mail. Everyone's going to get a copy of the
13 transcripts of this by e-mail. And that's it.
14 Everyone have a good day.
15 (The conference concluded at 2:19 p.m.)
16
17
18
19
20
21
Coast to coast coverage Evans Reporting Service Over 25 years
Unsurpassed excellence 800-256-8410 award-winning service
-
Page 20 1 REPORTER'S CERTIFICATE
2 STATE OF MARYLAND
3 CITY OF BALTIMORE
4 I, Erica Jones, a Notary Public of the State of
5 Maryland, Baltimore City, do hereby certify that the
6 above-captioned proceeding took place before me at the
7 time and place herein set out.
8 I further certify that the proceeding was
9 recorded stenographically by me and this transcript is a
10 true record of the proceedings.
11 I further certify that I am not of counsel to
12 any of the parties, nor an employee of counsel, nor
13 related to any of the parties, nor in any way interested
14 in the outcome of the action.
15 As witness my hand and seal this 18th day of
16 January, 2017.
17
18
19
20 Erica Jones
21 My Commission Expires 02/22/2020
_______________________________
Pre-Bid Conference 1/17/2017 Pre-Bid Conference for Security and
Penetration Testing
Coast to coast coverage Evans Reporting Service Over 25 years
Unsurpassed excellence 800-256-8410 award-winning service
q&A D80B5400025 (SVPT)pbc011717conference20 Full (3)